Re: [TLS] TLS interception technologies that can be used with TLS 1.3

Yoav Nir <ynir.ietf@gmail.com> Thu, 15 March 2018 04:51 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD66F12D872 for <tls@ietfa.amsl.com>; Wed, 14 Mar 2018 21:51:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bsYm1nwmloOZ for <tls@ietfa.amsl.com>; Wed, 14 Mar 2018 21:51:17 -0700 (PDT)
Received: from mail-wm0-x231.google.com (mail-wm0-x231.google.com [IPv6:2a00:1450:400c:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EBA6912D871 for <tls@ietf.org>; Wed, 14 Mar 2018 21:51:16 -0700 (PDT)
Received: by mail-wm0-x231.google.com with SMTP id x7so7919809wmc.0 for <tls@ietf.org>; Wed, 14 Mar 2018 21:51:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=rj6OfRPqPPVVX1P1D8mmUC0Hm9NrWBIVG7V1skkDpR4=; b=IkuvtDfdOxUCIOd4nlPhH+UYPwkwTyRrYeoyd7n57vK6ZhwiSO+m2QhVSz7AW7NHem K6di6ewaUOpak64Unt9EYUY9YilEQB9oQi6rsdYQvkwza6Rnvn/g9Q7iNZVV+dTzdDdj 9jW32YPr58YJmDQr8/DWHbXXA2PiLSUkMeno03YCf3gsh7TGs1ViOwYsdZfIhwd70IGh 7bne6RniS1KmEwSer1WZjRIULdXI3/f0Vx4z1mGtsa45gk4XOH2BUl7+kyy+GwxReDE4 IOoezVBwLXINkFl/KQOMcVQw79NYEjPR94taUYod2EKVu6ba5yqVIfY1IRchJqhYKnWd HyyA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=rj6OfRPqPPVVX1P1D8mmUC0Hm9NrWBIVG7V1skkDpR4=; b=rmgQ8saMJ3S2fbw435/d0ia9QVboD0tqEl2EjN6t3W3HF1VogvWwsLSWG5oIQhlGXZ qwbscdVifHYFZsnSZazJkNvNdgPXNzOyeqYAqk+t0XKw2AsRzOOflVJPtYCfCzPpY9o9 C8HtOsEeI9gsI7vOsD/w7wybK46PCpfyIBff8LnggMDmRgq4biz9xRIyAhKDVUlJD4lz 9fQ9UXcrHYKG+enrCi9Ck8MYPDo27guKnTAAbsTz4YmFUKyiom2A2YZw/QJwkczxB5lV BvVKrOeIuiBCA0UVQih01G7OyhV2Tun41+kqYzdslK5YrIW85CEOJfCNVme++lIKU3rx gE0w==
X-Gm-Message-State: AElRT7E02GW3OMNzqh8xRGxIRLe3XARQeOtB0aDex0cyD4qhoe9wnfGg s5FENCoO2Qzv/1dfMcqXuoM=
X-Google-Smtp-Source: AG47ELud2skWPV33Pg7naF7tA9x74zhJ8PiOqGpq5os960VJs8SdQzYvGeBk3qviNdXa5qPJbKwZlA==
X-Received: by 10.80.148.229 with SMTP id t34mr5841171eda.146.1521089475438; Wed, 14 Mar 2018 21:51:15 -0700 (PDT)
Received: from [192.168.1.18] ([46.120.57.147]) by smtp.gmail.com with ESMTPSA id w16sm1338912edd.61.2018.03.14.21.51.14 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 14 Mar 2018 21:51:14 -0700 (PDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <CACsn0cmNuuG4dhkouNzb=RDfYwG25VaKN7cGhm21wfLk-NmS5A@mail.gmail.com>
Date: Thu, 15 Mar 2018 06:51:31 +0200
Cc: tls@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <9B30F837-8F6A-4AF0-A3BD-69F9AFED5D7B@gmail.com>
References: <CACsn0cmNuuG4dhkouNzb=RDfYwG25VaKN7cGhm21wfLk-NmS5A@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/cUDXBuFNtqL-PP9eMJ6cc5SfZm0>
Subject: Re: [TLS] TLS interception technologies that can be used with TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Mar 2018 04:51:19 -0000

At the risk of stating the obvious, it’s because server owners want to use the same OpenSSL, NSS, SChannel, or whatever you call the Java library that everybody else uses. They’re all widely used, actively maintained, and essentially free.

None of these libraries support any of this functionality.

> On 15 Mar 2018, at 2:16, Watson Ladd <watsonbladd@gmail.com>; wrote:
> 
> One can either use a static DH share, save the ephemerals on the
> servers and export them, or log all the data on the servers.
> 
> These options don't require any change to the wire protocol: they just
> require vendors supporting them. Why don't they meet the needs cited?
> 
> Sincerely,
> Watson
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls